This behaviour was spotted when the firm noticed that smartphones that had been infected with the hugely successful but apparently unrelated Opfake.a Trojan were being used as a launching pad for Obad.a to send malicious links to everyone in that victim's address book.

According to Kaspersky, the malware was also being spread via convincing-looking copies of the Google Play store as well as a campaign of mobile spam. Someone wants to get Obad.a on to as many Android devices as possible.

So far, they've been successful in Russia with a smaller number of infections in nearby republics such as Ukraine, Belarus, Uzbekistan and Kazakhstan. One Russian mobile network had detected 600 of Obad's spam messages in a matter of hours, suggesting that its piggyback tactic was working, Kaspersky said.

"In three months we discovered 12 versions of Backdoor.AndroidOS.Obad.a. All of them had the same function set and a high level of code obfuscation, and each used an Android OS vulnerability that gives the malware DeviceAdministrator rights and made it much more difficult to delete," observed Kaspersky researcher, Roman Unuchek.

The vulnerability in question had been closed in Android 4.3 which meant that large numbers of devices not running this version remained vulnerable, he added.

"Obad.a, which uses a large number of unpublished vulnerabilities, is more like Windows malware than other Trojans for Android."

Although Obad.a is at core just another SMS fraud Trojan targeting Russian Android users, its complexity and innovation has surprised researchers. As well as exploiting flaws in Android, it has been designed to download secondary capabilities as it pleases.

Last month, research by Lookout Mobile Security reckoned that the Russian criminals sector dedicated to creating mobile SMS fraud apps could be controlled by as few as 10 organisations.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.